Threat Research

Remcos RAT New TTPS – Detection & Response – Security Investigation

Securonix

Remcos RAT is a remote access trojan sold by Breaking Security, marketed for legal use but widely used for malicious operations, including the potential to build botnets. It can capture screenshots, log keystrokes, and exfiltrate data to attacker servers, with multiple delivery methods and ongoing updates. #RemcosRAT #BreakingSecurity

Keypoints

  • Remcos RAT is a remote access trojan sold by Breaking Security, available to buyers who may use it for legitimate purposes but can deploy it for destructive activities.
  • The malware can capture screenshots, record keystrokes, and send collected data to attacker host servers.
  • Delivery methods include executable files masquerading as legitimate items or as a Microsoft Word attachment to lure users into running the payload; recent distributions also use image/ISO payloads.
  • Executable payloads use Windows utilities like Sctasks.exe to manage scheduled tasks and the vb.NET compiler (vbc.exe) to build attacker code on the system, helping bypass defenses.
  • Image/ISO payloads employ UAC bypass with easinvoker.exe and mount images via DeviceCdRom to execute the malware.
  • Discovered IOCs include several file hashes, domains, and IPs, enabling detection and blocking efforts.
  • Detection and response guidance comprises a broad set of SIEM queries across major platforms (Splunk, QRadar, Elastic, etc.), targeting specific file events, commands, and artifacts related to Remcos activity.
  • Overall, Remcos is a potent, affordable RAT with robust capabilities and monthly updates from the owner, enabling versatile attack deployments.

MITRE Techniques

  • [T1113] Screen Capture – Remcos can capture screenshots and relay the data to its operator. “Remcos trojan can capture screenshots, record keystrokes on infected machines, and send the collected information to host servers.”
  • [T1056] Keylogging – The malware records keystrokes on infected machines as part of its data collection. “record keystrokes on infected machines” (quoted)
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration to host servers after collection. “send the collected information to host servers.”
  • [T1036] Masquerading – Delivery as benign-looking files to trick users into running the payload. “delivered in different forms… as an executable file with the name that should convince users to open it, or it pretends to be a Microsoft Word file” (quoted)
  • [T1566.001] Phishing: Spearphishing Attachment – Payloads masquerade as Word documents or similar to entice execution. “pretends to be a Microsoft Word file to download and execute the main payload.” (quoted)
  • [T1059.005] Visual Basic – Use of vbc.exe to compile attacker code on the system. “vbc.exe to Compile attacker code on the system.” (quoted)
  • [T1053.005] Scheduled Task/Job: Windows – Using Sctasks.exe to create, delete, query, change, run, and end scheduled tasks. “Sctasks.exe which enables an administrator to create, delete, query, change, run, and end scheduled tasks” (quoted)
  • [T1548.002] Bypass User Account Control – UAC bypass techniques using easinvoker.exe. “UAC bypass techniques with easinvoker.exe” (quoted)
  • [T1091] Replication Through Removable Media – ISO/image payloads mounted via DeviceCdRom to execute malware. “Image files are mounted via DeviceCdRom and malware is getting executed.” (quoted)

Indicators of Compromise

  • [File Hashes] context – 6d25e04e66cccb61648f34728af7c2f2, F331c18c3f685d245d40911d3bd20519
  • [Domains] context – http[:]//geoplugin.net/json.gp, falimore001[.]hopto.org
  • [IP Addresses] context – 178[.]237.33.50, 194[.]147.140.29

Read more: https://www.socinvestigation.com/remcos-rat-new-ttps-detection-response/